The app was compromised for almost a month

Sep 18, 2017 12:07 GMT  ·  By

Piriform, the company that makes the popular CCleaner application, just announced that their application was hijacked and used to gather information about its users and send it to an unknown party.

Hackers usually prefer to penetrate insufficiently secured servers and get the data they want in that manner, but that usually means that webmasters and programmers were not doing their job. Compromising the code for an application to gather information about user’s devices before that app is distributed is on a different level.

Piriform hasn’t said anything about how their systems were penetrated or how the executable was modified before launch, but they did reveal everything that’s been going on, and it’s not a pretty sight. In fact, if you read the short description of the event, it’s even more terrifying.

“An unauthorized modification of the CCleaner.exe binary resulted in an insertion of a two-stage backdoor capable of running code received from a remote IP address on affected systems, ” wrote Paul Yung, VP for Products at Piriform.

What was the application doing?

It turns out that the attack was supposed to take part in two stages, but the attackers never really reached the second stage. Two versions of CCleaner were affected, 5.33.616 for the 32-bit desktop release, and 1.07.3191 for the Cloud variant. If we think about it that was probably the intention; to leave the 64-bit version alone since it would have attracted too much attention.

As for the information collected by CCleaner and sent to an IP address, that’s not much we can do about that. Paul Young explained that the name of the computer, the list of installed software along with the Windows updates, the list of running processes, the MAC address of the first three adaptors, and some other information regarding processes running as administrator, were all collected, encrypted and sent away

Avast Threat Labs helped with the investigation, but the legalities are still ongoing. The authorities have been notified, and an update has been released for all users, no matter the platform. It remains to be seen if anything more will surface in the coming days about the location of the attackers or their actual goal.